Another server security lapse at NASA exposed staff and project data

Two months ago, NASA quietly fixed a buggy internal server that was leaking sensitive information about the agency’s staff and their work.

The leaking server was — ironically — a bug reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password, Avinash Jain, an India-based security researcher who found the exposed server, told TechCrunch.

According to Jain’s writeup, some Jira instances can be misconfigured to allow “everyone” access without a password — including anyone on the internet — and not “everyone” within an organization, as some believe.

This was the case for NASA’s leaking server.

Jain found the leaking server in October exposing NASA staff usernames and email addresses and the projects they were working on. Because Jira contains information about bugs and issues within an organization, including works in progress, the server was also gave up what agency staff are working on and their upcoming milestones.

It’s not known if any classified information was on the Jira server, such as names or details of sensitive projects. Jain also said it’s not clear how how many NASA staff users were in the database as Jira limits searches to 1,000 queries at a time.

After he contacted NASA and CERT/CC, the vulnerability disclosure center at Carnegie Mellon University, the exposed server was fixed some three weeks later, he said.

NASA never responded to his private disclosure.

Although NASA has a page on HackerOne, a vulnerability reporting program, allowing researchers to email NASA of security issues, the agency doesn’t have a dedicated bug bounty program.

“I dropped [NASA] around five emails before it was fixed, and I was never informed that it was fixed,” he told TechCrunch.

The latest breach was just before Christmas, in which the agency reported a data compromise affecting current and former NASA employees between July 2006 to October 2018. But CERT/CC told Jain in an email that there was “no evidence” his finding was related to NASA’s latest breach disclosure.

NASA was unable to comment during the government shutdown, according to an automated message on the agency’s press line.